Many industries are subject to US government regulation regarding Information Security. Aside from direct government contracting entities, the main three industries are now national infrastructure, financial, and healthcare. Government contracting entities and the financial industry have had to deal with this type of regulation for a long time now, but the other two are fairly new to it. The healthcare industry looks more like the financial sector, specifically the credit card processing model, in that even the smallest entities are impacted by the regulations. With the passing of HIPAA, HITECH, and now what is commonly referred to as Obamacare, the healthcare industry is undergoing a transformation. How it impacts individual entities is the subject of much concern. The natural reaction is to get away from regulation as much as possible, but these acts leave very little room to breathe. Other industries have already accepted the fate to which Information Security regulatory acts have imposed upon them, and it is time for healthcare to get serious about it. In this article, I will attempt to break down the specifics and suggest a course of action.
Before a suggested course of action, an examination of the government regulation is in order here. Specifically, whether the regulation is even applicable to a particular entity. Currently, the HIPAA and HITECH acts apply only to healthcare clearinghouses, agencies that must work with the federal government for either Personal Identifiable Information or billing purposes, or professionals in the healthcare field such as doctors and hospital administration. This seems to leave some entities out, but be very wary. With the passing of Obamacare, this could be rapidly changing. The observation here is that Obamacare mandates that everyone carry health insurance, and those that are not provided insurance through an employer must purchase it at the state level, funded by the federal government. Although private industry insurance providers are still the carriers, the government oversight here cannot be ignored. Obamacare impacted every man, woman, and child currently carrying insurance by enacting regulation over the industry. Much like the financial industry, the healthcare insurance carriers now cannot ignore governmental regulation. By extension, any entity doing business with the insurance carriers are similarly impacted, much like any business that accepts credit cards must be found to be in compliance with PCI-DSS. This is the transformational event that is being addressed right now. The implication here is that even the smallest agencies will have to consider HIPAA and HITECH compliance in the very near future. Due to the heavy penalties of HIPAA non-compliance, and the ramifications stated above, it is in the best interests of any entity planning or operating any type of healthcare industry to budget and implement a security compliance effort whether they feel they are in scope or not.
HIPAA and HITECH generally go hand in hand, but compliance with one does not equate to compliance with the other as they have different focus areas. They are complimentary, not conflicting though, so achieving compliance in one or the other makes it easier to become compliant in the second. The problem with both of these is they do not state how compliancy is to be achieved, they simply lay out the objectives. In order to meet the objectives, another tool must be adopted in order to move an entity through the design, planning, implementation, and assessment phases in order to prove compliance. Many security frameworks are out there, some publically available, some through a small cost for licensing. None of them are simple in scope, cost, or time. Once a security framework is adopted, a software toolset is necessary as well to move the entity through the process. So, to sum up, government regulation must be examined to see if it applies, a security framework compatible to the regulation must be chosen, and the corresponding toolset must be obtained. These steps are relatively easy to achieve, and as stated above, it is in the best interests of a business to just simply submit to the regulation and make the effort to become compliant as doing otherwise may be the first death toll heard for them.
As many in other industries have pointed out, becoming compliant is very costly, both in capitol and labor. Although there are a few shortcuts that can be done, the effort itself is the bulk of the cost and cannot be avoided. As in other industries though, there is hope for entities that simply could not afford the compliance effort otherwise. A new type of B2B entity is beginning to emerge, one that provides a service to small and mid sized businesses to take the responsibility of compliance out of their hands. This is not a new concept for the financial industry, but it is much larger in scope as applied to the healthcare industry. The healthcare industry cannot simply obtain an approved device and let the worry of compliancy fall upon the processor....or can it? Such a model does not currently exist in the healthcare industry, but perhaps as the industry maturates, this could be possible. Currently though, the headache is squarely on the entity performing transactional services for medical records or medical billing for Medicare or Medicaid reimbursement. So what about private pay agencies? Well, this is a very gray area, as discussed above in relation to Obamacare. Now that everyone is mandated to carry insurance, and insurance will most likely carry some form of long term care clause, doesn't it follow that the pressure is already evident for private pay home care agencies to be compliant as well? In my opinion, it is.
No comments:
Post a Comment